Page 3 of 4 FirstFirst 1234 LastLast
Results 31 to 45 of 47

Thread: Low Level Graphics Programming Project

  1. #31
    ok, new target.exe works. let's see now what was the original goal we wanted to achieve? UI ontop of a d3d rendering?

    --
    Geez, man there is something wrong with your target.exe, the first time it executes fine but it crashes on the 2nd run. I am using a laptop without a real 3d card. But it's probably got bugs in the code. I have done basically the same thing nico has done and the code injection is pretty easy. But the question is if this is the kind of stuff that works for a commercial game?

    Ok after rebooting about 4-5 times, this is my version of injected target, iI added a new section .inj 4k bytes long and copy/pasted injecthere code. It works fine and shows both cube and triangle.
    Attached Files Attached Files
    Last edited by homersux; October 12th, 2004 at 12:36.

  2. #32
    Actually if you NOP the messagebox the cube rotates weird period, it jerks around, so I think it's a problem with your code , sorry
    hrm, if I knew my code was on trial, I'd never have started . Bit strange though, works fine here. This is one problem with D3D, if you don't set up the caps properly it won't work everywhere. What GFX card do you have?

    Oh, and about rendering with a high z-bias: You don't need to do this if you set the VertexShader to use 2D only coordinates. <snip> For example, if you are drawing a UI over the top, you could probably get away with drawing it at any time, and use 2D FVF's
    Yup, but then you are completely restricted to 2D stuff, so can't do cool things like put a minature version of a 3D map in the corner

    therefore they draw on top of everything else if you have a z = 0.0f
    Actually they'll be drawn on top anyway, the Z component is ignored, it's the RHW component of the FVF/vertex struct that matters.

    homer: If you've just got a built in card, it's definately the caps that are the problem. It's awkward and long winded to set up all the caps properly , you effectively have to test each cap, check the return result then use that result to set the actual cap. And there's a hell of a lot of caps - if you have the SDK, look for the DirectX Caps Viewer in the DX Utilities dir. So in summary, I was lazy and didn't set them up properly

    But the question is if this is the kind of stuff that works for a commercial game
    Yes, it does. Believe it or not I've coded a commercial game (and on the basis of this crappy code, feel free to not believe it ) and the major difference between a game and this sample is that a game will have some kind of base engine to separate the "gameplay" code from the game mechanics, so the D3D device creation will be sandwiched inside a load of other junk. I'm a better coder than reverser, honest
    Still here...

  3. #33
    It seems the difficulty in a real world example is:

    1) finding the location of the p_Device, in this example, it's straightforward once the target is disassembled (it's got a similar code structure with inject).

    2) locating a point for code injection, somewhere between BeginScene and EndScene. In this example, we used static code inject, 2 cons 1) exe integraty check will dismiss the attempt 2) needs to rewrite part of original exe or save/restore in new code segment--lots of
    code rewrite 3) injected code may be complicated and has non-local data references, in our exercise inject code is nice and compact

    So if I was to attack something more seriously, it means I'll be using dynamic code injection and will patch code on the fly. The added benefit is load/unload patch at will.

  4. #34
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Well, homersux, the only difference with dynamic injection is:

    1. Allocate memory in the other process with VirtualAllocEX
    2. Relocate any memory location-dependant code in your injection snippet to compensate for location of remote memory.
    3. Inject the code (write it) into the remote memory
    4. Write out the small bit of hook code that causes the EXE to jump
    to your newly injected code

    It's that simple. Relocation is actually the hardest and boringist part (if you have to relocate addresses in your injection code).

    Yes, you pretty much always have to either disasm or debug the game live so you can find the appropriate place to inject.

    You could write more advanced code that would start the game EXE and then hook into its Direct3D functions so it would work on more than one game, but it still would be D3D version dependent (since the offsets to methods will be different between an IDirect3D8 and IDirect3D9 interface), and also is a bit more work. But it can be done. In fact, since DirectX is COM based, even though the interfaces are different, you should be able to query the DirectX 9 interface for a DirectX 8 interface pointer thru QueryInterface(). QueryInterface() should be the very first function pointer in the vtable. If you know the interface ID (IID) of the IDirectX8 interface, you could write your code to use DirectX 8 and just always query for this interface in your injection.

    However, this is just theory right now

    Silver: I'm using a Nvidia GeForce2 Ti at work, and a NVidia GeForce4 440MX at home, and it acts the same on both systems. I'll check my modded code again.

    -nt20

  5. #35
    silver, what're the differences between window mode and full screen d3d? It seems window mode uses a backbuffer or some sort just from reading your code.

  6. #36
    what're the differences between window mode and full screen d3d
    Well the main difference is that in windowed mode, the D3D front and back buffer surface format must be configured to be the same as the Windows desktop format (bit depth), as well as other params like refresh rate etc. In full-screen mode you have complete control over all display parameters.

    Both windowed and fullscreen use a backbuffer and frontbuffer page flipping system, it's just windowed mode is far more dependant on Windows...

    nikolatesla, you said:
    If you know the interface ID (IID) of the IDirectX8 interface, you could write your code to use DirectX 8 and just always query for this interface in your injection.
    Not sure I follow, from the context you wrote this in are you saying that you can use DX8 interfaces for a DX9 injection/hack? If so, I'd disagree.

    As a side thought, in a real world example I would think a good approach would be to locate the app's d3d engine wrapper functions and to call those directly. Because doing basic things like drawing boxes and blitting text is such a pain with D3D, every non-trivial app I know of uses at least a wrapper of some sort (eg, MyEngine::TextOut(...) wraps text blitting functions etc), if not a full engine. It would make sense to use these functions where possible, to minimize the amount of work you would have to do in the injected code, not just to reduce the code but also to reduce the dependancies on caps and config.
    Still here...

  7. #37
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Quote Originally Posted by Silver
    As a side thought, in a real world example I would think a good approach would be to locate the app's d3d engine wrapper functions and to call those directly. Because doing basic things like drawing boxes and blitting text is such a pain with D3D, every non-trivial app I know of uses at least a wrapper of some sort (eg, MyEngine::TextOut(...) wraps text blitting functions etc), if not a full engine. It would make sense to use these functions where possible, to minimize the amount of work you would have to do in the injected code, not just to reduce the code but also to reduce the dependancies on caps and config.

    This is a good thought , you should be able to use the functions in the dxd8/9 libraries since they are DLLs and should be in the other process. It would be interesting to try using those.

    -nt20

  8. #38
    ok, so now can we have some code to be injected to target and displays
    a clock in text?

  9. #39
    hehe, sure thing. I'll do that this weekend. This may be harder to inject as we'll need to create global objects in the target for the injection code. I'll post here when I've done it.

    edit 20/10 - my apologies, I've been really busy the last few days. I'll get this done as soon as I have a bit of spare time. I have a nightmare deadline coming up for coursework material I'm writing
    Last edited by Silver; October 20th, 2004 at 08:58.
    Still here...

  10. #40

    Cool Very interestng

    This topic is VERY interesting and informative. I just happen to be working on a D3d game trainer and I would like to add a status menu of sorts to display in-game.

    Would anyone here happen to have any of the zip files which were attached to this topic? They are all corrupted (since this forum went down). If possible, could you re-up them here?

    Thanks a lot

    Also, Silver, nikolatesla20, and homersux. Would you mind if I use the info in your posts here to make a tutorial?
    I will (of course) credit your names.

  11. #41
    No problem on my part. I never did have time to continue this, unfortunately. Let me know if you would like any DX-specific help with your tut, as this thread is very basic from a DX point of view. I've also apparently misplaced the code I wrote, perhaps homer or nikola still have it along with their injection.
    Still here...

  12. #42
    Let's see if I still have the files.
    Attached Files Attached Files

  13. #43

    Thanks,

    Thank you Silver and homersux...
    I now have all I need to get going
    Last edited by goggles99; March 22nd, 2005 at 06:35.

  14. #44
    Quote Originally Posted by bilbo
    How it obtains this info? It reads from the registry a list of the video drivers used by the system (kernel DLLs), and hooks their entry point, which is DrvEnableDriver(), using a powerful hooking engine.
    In this way it obtains a pointer to the driver structure DRVENABLEDATA, and it can hooks all the interface functions exported by the driver.

    Regards, bilbo
    How can I find these registry entries? Where are they?
    I'm reading the DDK about video drivers but I'm not
    able to find where win32k.sys/ntosknl.exe find and load
    the video drivers DLLs!

    Thanks for any help!

    Regards,
    Opcode

  15. #45
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    Sorry, Opcode, if I was confusing you...

    The registry entries are not system-wide entries, but NTICE ones, and their are set at installation time:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTice\InstalledDisplayDrivers to enable the hooking
    and
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTice\ExcludedDisplayDrivers to disable it

    Regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

Similar Threads

  1. Key Level & Key Options
    By ironman in forum The Newbie Forum
    Replies: 10
    Last Post: March 15th, 2014, 08:59
  2. LINK: Steganography in Computer Graphics
    By Kayaker in forum RCE Cryptographics
    Replies: 1
    Last Post: March 29th, 2006, 09:50
  3. Recommended Graphics Card for Driversuite 3.1 ?
    By The SharK in forum The Newbie Forum
    Replies: 8
    Last Post: November 11th, 2004, 08:40
  4. It's Easy-Level... Everyone have a try...
    By JimmyClif in forum Mini Project Area
    Replies: 11
    Last Post: June 20th, 2001, 17:33
  5. Silicon Graphics Unix Flexlm
    By unix in forum Advanced Reversing and Programming
    Replies: 14
    Last Post: January 12th, 2001, 16:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •